Σχόλια 0

Το κείμενο του εγγράφου

Security andAuthorization·Access to large databases is generally selective:·Distinct users have distinct privileges.·The process of defining and granting theseprivileges is called authorization.·Authorization is generally apositiveaction,designed to grant specific users specificprivileges.·Large databases must also be protected fromthose trying to obtain information which they arenot intended to have.·Intruders may attempt to gain access to thesystem from the outside.·“Insiders” may attempt to bypass theauthorization mechanism and look atinformation which they are not supposed tohave.·Authorized users (e.g. the general public) mayattempt to extract unintended information fromstatistical databases via techniques such astrackers.·Measures taken to control such access fallunder the general heading of security, which isgenerally anegativeorpreventivemeasure.20051209: slides19:1of 22AuthorizationGenerally speaking, there are two flavors ofauthorization:·Discretionary:Individuals are given certainaccess privileges on data objects, as well as topropagate (grant)

such privileges.

·Mandatory:Each data object has a certain fixedclassification, as does each user. Only users withan appropriate classification may access a givendata object.20051209: slides19:2of 22Discretionary Access ControlAnauthorityis a specification that a certain userhas, or group of users have, the right to perform agiven action on the database.·The action of assigning authority is calledgranting.·The action of relinquishing authority is calledrevocation.The basic rules are the following:·A user U has privilege P if and only ifsomeotheruser V with the authority to grant that privilegehas in fact granted it to U.·Only a user U with privilege Pandthe authority togrant P to others may in fact grant that privilegeto a second user V.·A user U may revoke a privilege P from user V ifand only if U had earlier granted that privilege toV.·The database administrator (DBA) grantsinitial privileges; to avoid a chicken-and-eggproblem.20051209: slides19:3of 22·Authorization and SQLThe general syntax for assignment of a privilege isas follows:GRANT<list of privileges>ON<list of database objects>TO<list of users>[WITH GRANT OPTION] ;The legal privileges are:·SELECT, INSERT, UPDATE, DELETE;·USAGE, REFERENCES (not discussed here).Examples:The following gives users Smith and Jones have theright to issue read-only (i.e.,Select) queries on thetables Employee and Department.GRANT SELECTON Employee, DepartmentTO Smith, JonesThe following gives user Smith not only the selectprivilege on this table, but also the right to pass thisprivilege along to other users.GRANT SELECTON Employee, DepartmentTO SmithWITH GRANT OPTION20051209: slides19:4of 22The next statement gives Smith both select andupdate privileges on the Employee table.·Note that UPDATE has a specific semantics here;namely “change entries.” It does not imply theright to insert new tuples or to delete existingones.GRANT SELECT, UPDATEON EmployeeTO Smith;The following statement grants all three forms ofmodification:GRANT SELECT, UPDATE, INSERT, DELETEON EmployeeTO Smith;In principle, it is possible to grant modificationprivileges without view privileges, but this would berare.GRANT INSERTON EmployeeTO Smith;20051209: slides19:5of 22To grant privileges on only part of a relation orrelations, one must first create a view:CREATE VIEW POOR_NAMES_ONLY ASSELECT Lname, Minit, FnameFROM EmployeeWHERE (Salary < 20000);GRANT SELECTON POOR_NAMES_ONLYTO Smith;It is even possible to grant privileges which are validonly at certain times.CREATE VIEW POOR_NAMES_9_TO_5 ASSELECT Lname, Minit, FnameFROM EmployeeWHERE (Salary < 20000)

AND CURRENT_TIME >= ’09:00:00’AND CURRENT_TIME <= ’17:00:00’;GRANT SELECTON POOR_NAMES_9_TO_5TO Smith;20051209: slides19:6of 22The complement of GRANT is REVOKE. Thegeneral syntax is as follows:REVOKE [GRANT OPTION FOR]<list of privileges>ON<list of database objects>FROM<list of users>RESTRICT | CASCADE;Examples:The following revokes the privilege of Smith toexecute select operations on the relation employee,and also also revokes (in cascading fashion) anysuch privileges which Smith (alone) granted:REVOKE SELECTON EmployeeFROM SmithCASCADE;The following is similar, except that it fails to doanything if it would be required that the privilege berevoked from some other user in cascading fashion.REVOKE SELECTON EmployeeFROM SmithRESTRICT;20051209: slides19:7of 22It is possible for more than one user to grant thesame privilege to another.Example: Suppose that both Washington andLincoln issue the following identical grantcommands, which they have the authority toexecute:GRANT SELECTON EmployeeTO Smith;Now suppose that Washington issues the followingcommand:REVOKE SELECTON EmployeeFROM SmithRESTRICT;In this case, although the command “succeeds,”Smith retains the priviliges because it was alsogranted by Lincoln. On the other hand, if Lincolnsubsequently issues the same command, Smith willlose the privilege.20051209: slides19:8of 22However, suppose that the situation is as follows:First, Washington grants the right to Lincoln:GRANT SELECTON EmployeeTO LincolnWITH GRANT OPTION;Now Lincoln passes this right on to Smith:GRANT SELECTON EmployeeTO Smith;If Washington now issues the following command,Smith as well as Lincoln will lose the associatedprivileges.REVOKE SELECTON EmployeeFROM LincolnCASCADE;However, if CASCADE is replaced by RESTRICT,the directive will fail and both Smith and Lincoln willretain the privilege. (It is not clear how one isinformed of this failure, since SQL does not have astandard status-return mechanism.)20051209: slides19:9of 22Authorization in PostgreSQL:●Privileges may be granted to any other user, butthese priviliges are useful only if that user isallowed to connect to the database on which thepriviliges were granted.●If a user is allowed to connect to a database, thenthat useralwayshas the privilege of creating newrelations and using them.●A user is always the owner of a relation createdfrom that user account, regardless of theownership of the actual database.●Thus, if access is to be granted at all to adatabase, then the privilege of creating andowning new relations by those with access isirrevocable, even by the system administrator.●If you allow a user to connect to your database,then that user will be able to create and controlrelations within your database. You may not evenbe able to read them. The creator must grantprivilieges to you!●This is not good.20051209: slides19:10of 22Mandatory Access ControlMandatory access control is applied in situations inwhich users may be assignedsecurity classes.

Assumptions and notation:·The security classes form a total order;e.g.,

top secret > secret > confidential > unclassified.·Each user is assigned a security class. WriteClearance(U) to denote the security class of userU (called theclearanceof U).·Each database object is also assigned a valuefrom this set of security classes. Classification(P)denotes the security class associated withdatabase object P.The following rules are then enforced:1.User U has read access to object P iffClearance(U)Classification(P).(This is called thesimple security property.)2.User U has update privileges on object P iffClearance(U) = Classfication(P).(This is called thestar property.)The first property is intuitive. The second seemsstrange and requires elaboration.20051209: slides19:11of 22Analysis of the Star Property:The intent of the star property is to preventinformation from being passed down from a higherclassification to a lower one.Question: The textbook stipulatesClearance(U)Classification(P)Is this not more flexible?Answer: Yes, in a way, but then user U could writeinformation which U would not subsequently beallowed to read!Question: Is this requirement realistic in practice?Answer: Probably not without some modification.●It should be possible to trust people with higherclassifications not to carelessly write thisinformation into documents with lowerclassification.20051209: slides19:12of 22Authority of the Database Administrator·Thedatabase administrator(DBA) is thedatabase equivalent of a system administrator.Typically, the DBA has sole authority in thefollowing areas of authorization:·Create new accounts, and delete existing ones.·Define security levels of accounts.·Assign initial authorities.Some of these responsibilities may be delegated inthe management of a very large system, but only invery controlled ways.20051209: slides19:13of 22SecurityKey security issues:·Prevent attacks from outside intruders. Theissues here are similar to those for operatingsystems.·Prevent unauthorized access from insiders. Akey technique here is the maintenance of detailedtransaction logs.·Use care not to grant privileges unintentionally.This problem is particularly relevant in the contextof statistical databases.20051209: slides19:14of 22Security for Statistical DatabasesIt is common to grant “summary” access to largedatabases, without permitting detailed access.Example query for company database:Provide the average salary of all employees inthe research department.·The idea here is to provide information about thegeneral state of things, without revealing detailed,confidential information about individuals.Some databases, particularly those maintained bygovernment agencies, are explicitly stated to bemaintained for purposes of summary informationonly, with details about individuals held “strictlyconfidential.”Question: Can we maintain such privacy, and if so,how?A basic problem is that of using so-calledindividualtrackers,which are queries designed to identify aunique individual.The following is a simple example, fromFrom D. E. Denning and P. J. Denning,DataSecurity,ACM Computing Surveys, Vol. 11, No. 3,1979, pp. 227-249.Suppose that we have a medical database whichcontains allows only statistical queries.20051209: slides19:15of 22Query: How many patients have thesecharacteristics?MaleAge 45-50MarriedTwo childrenHarvard law degreeBank vice presidentAnswer: 1Suppose the questioner knows that Jones hasthese characteristics. Now the following query isposed.Query: How many patients have thesecharacteristics?MaleAge 45-50MarriedTwo childrenHarvard law degreeBank vice presidentTook drugs for depressionThe answer will be either 1 or 0, and will then tell uswhether or not Jones took drugs for depression.So, if the querier knows enough about Jones toconstruct the first query, further information may beobtained easily.A candidate solution to this problem is a so-calledminimum query set control. The idea is as follows:20051209: slides19:16of 22Assume that the database contains n records.Let k be a relatively large positive integer which isless than n.·Strategy: Prohibit queries for which there arefewer than k or more than n-k records in thequery set.Problem: Even with such controls, security may becomprised.Example: This example uses the Companydatabase of the text, and the specific instanceshown in Figure 5.6 (7.6 in the 3rdedition).Query: Find the salary of Joyce English.The querySELECT SalaryFROM EmployeeWHERE (Lname = “English”)

AND (Fname = “Joyce”);is not allowed, since only statistical queries arepermitted.20051209: slides19:17of 22Suppose it is known that Joyce is the only femalewho works on the ProductY project. The “statistical”query P shown below delivers the correct answer.P: SELECT AVG(Salary)FROM Employee, Works_On, ProjectWHERE (SSN = ESSN) AND

(PNO = PNumber) AND

(PName = 'ProductY') AND

(Sex = “F”);However, it is not allowed, since it returns only onerecord.·Note that n=8; there are 8 employees in thedatabase.·Suppose that k is set to 2 for this example. (Itwould be much larger in a real example.) Thus,any query must return aggregate data for at leasttwo records, and no more than 6 records.Start by building the following so-calledgeneraltracker, which we will call T0.T0: SELECT Count(*), AVG(Salary)FROMEmployee, DepartmentWHERE (DNO = Dnumber) AND

(NOT (Dname = “Administration”));Thus, we know that the database consists of eightEmployee tuples.To proceed, we first need to know which of the twosets Joyce English is in. The query Q0, defined asQ0: SELECT Count(*), AVG(Salary)FROMEmployee, DepartmentWHERE (DNO = Dnumber) AND

((Dname = “Administration”) OR(SSN IN

(SELECT E.SSN

FROM Employee E, Works_On, Project

WHERE (E.SSN = ESSN) AND

(PNO = PNumber) AND

(PName = 'ProductY') AND

(Sex = “F”)));yields a count of four tuples, one more tuple thanT0. Thus, we know that Joyce English is a memberof the result of T1, and not of T0.At this point, it is easy to compute the salary ofJoyce English from the results of Q0 and T0. Justtake the differences of the total salaries in eachcase.20051209: slides19:19of 22If Q0 had returned a count of only three tuples, thenit would be necessary to obtain the result of thefollowing query Q1, and then use that result and theresult of T1 to obtain the salary of Joyce English.Q1: SELECT Count(*), AVG(Salary)FROMEmployee, DepartmentWHERE (DNO = Dnumber) AND((NOT (Dname = "Administration"))OR(SSN IN

(SELECT E.SSN

FROM Employee E, Works_On, Project

WHERE (E.SSN = ESSN) AND

(PNO = PNumber) AND

(PName = 'ProductY') AND

(Sex = “F”)));

In either case, it is easy to find the exact salary ofJoyce English from statistical queries over largesets along.20051209: slides19:20of 22Here is the general idea.·Let T be the tracker formula, which divides thedatabase into two large sets. Let Tcdenote thecomplementary set. (These are T0 and T1 in theexample.)·Let P be the query which identifies the individualU uniquely.First determine which of {T,Tc} includes theindividual, by issuing queries which measure theresult size. Let T^{T,Tc}denote the query whichdoes not include the individual to be traced. Then(T^

P) delivers information on U aggregated withT.(T^



P) delivers information on T without U.From these two, information on U alone may easilybe extracted.20051209: slides19:21of 22How to deter tracking queries:·Database partitioning: Partition the databaseinto groups. Only queries whose record setsconsists of the union of entire groups are allowed.Queries on subsets of groups are not allowed.·Noise:Introduce “noise” into the result of aquery, so that numerical answers are not exact.This must be done carefully, so that the noisecannot be filtered out by massaging a largenumber of queries.·Random samples:Instead of presenting adatabase with all individuals, include only arandom sample. This technique is useful for verylarge statistical-only databases, such as censusdatabases.20051209: slides19:22of 22